Tuesday, March 28, 2017

Is Meeting Regulations Really Enough When It Comes To Security?

By Ron DinwiddieChief Information OfficerTexas Trust Credit Union

Being
in a heavily regulated industry, we have an obligation to comply. It is
understandable that the regulatory burden often leads some to consider
doing the bare minimum to get through the next audit. When faced with an
overwhelming number of requirements, we are tempted to calculate the
minimum our team needs to do in order to be in compliance and avoid a
finding.

As a former consultant and now CIO for my fourth
financial institution, I have experienced policies, procedures, and
practices that represented the bare minimum needed to satisfy
requirements. The reasons for that were either “we don’t have the time
to do it better” or “the auditors and examiners didn’t ding us, so it
must be OK.”

Maybe this is acceptable in some areas, but how about when it comes to your data and network security?

I
am in touch with other IT senior leaders that include CEO, CIO and
CISSO and clearly there is great interest in this industry about how to
provide a higher level of security for our credit unions. Topics include
multi-level security implemented at the brick and mortar level as well
as the newest and most difficult to control – mobile devices. Why are
mobile devices so difficult? At the brick and mortar level we can
control what security solutions, policies and procedures are implemented
but we have absolutely no control over what our members (customers to
non-credit union industries) implement on their own device(s). We can
make our mobile banking app secure, but if the member saves their login
ID and password on their device and then their device is compromised so
is their banking account.

In my discussions with other industry
leaders, we all understand that just meeting regulations was not enough.
Several of my peers have stated they were implementing the SANS Top 20
Critical Controls. So why are we all thinking this way?

There
are multiple regulatory compliance bodies overseeing various industries
and they don’t all provide the same guidance or requirement levels,
suggesting one or more of these guides is missing something or the
developers of the guidance have a different idea about what is most
important.

These
regulatory bodies are mostly reactive; once a vulnerability is
identified they then develop the regulation, have it reviewed and
approved, and publish it to their constituents. This takes time and
leaves us vulnerable if we merely adhere to their publications.

Most
regulations, though not all, are geared towards a specific industry,
such as credit unions. But those of us in IT understand that bad guys
use some of the same tactics from one industry to another to gain
access.

It’s
very difficult for regulatory bodies to draft a regulation that fits
every environment. Not all credit unions have the same network
structure, support staff, or ability to implement security solutions. A
$40 million credit union doesn’t have the same resources as a $4 billion
one, so regulations are designed and written to address organizations
of all sizes.

As
far as why some IT shops don’t do security as well as they could, let's
look at the first excuse, that "we don’t have the time to do it
better.” I would ask them “do you have the time to identify, counter,
and remediate a network or data breach?” And how much time does it take
for one of your IT staff to research and work their way through finding
out how to fix a problem when your expert on that particular system or
area within IT is not available as opposed to having your Subject Matter
Expert (SME) develop proper procedures so their backup can easily
follow them to fix a problem?

If there are loopholes in your
policies because they meet the bare minimum requirement, of course you
will get compromised. Using lack of time as the reason for not doing
things in the best manner possible is inexcusable. By blocking out
dedicated time each week to work on these items, and having your direct
reports do the same, you will make progress.

"As to the second
excuse, that "the auditors and examiners didn’t ding us, so it must be
OK," auditors and examiners have checklists to follow. And since some of
them are auditing and examining multiple departments, their level of
expertise is somewhat limited in one or more of those areas. IT audits
and exams are, perhaps, the most difficult. Most auditors and examiners
don’t come from an IT background; they get training and look for
specific words or phrases in policies and procedures and certain types
of software and hardware settings when they come onsite. Your customers –
members in the credit union world – deserve more. They deserve the best
security you can provide for their personal information.

Think
about airports and how many people complain about the TSA security and
how it slows everything down. But if those agents slacked off and let
someone through who caused harm to people in one way or another,
everyone would then scream about how TSA failed to catch them. Think
about how many of your users, and in some cases members, complain about
your security measures. What would those same people say if it was their
personal information that was compromised because you lowered your
security standards just to make them happy?

Here are some facts, as reported in Homeland Security/FBI communications I receive, concerning security threats and breaches:

BP reports it suffers 50,000 attempts of cyber-intrusion every day;

The Pentagon reports 10 million attempts every day;

The National Nuclear Security Administration records 10 million attacks every day;

Attackers average 205 days inside an environment before they are discovered;

69% of victims learn from a third party that they have been compromised; and

Healthcare
has become a much higher target than financial institutions because
their records contain more personal information and the black market has
become flooded with compromised debit/credit cards.

Most
auditors and examiners you encounter will readily agree that meeting
regulations may be the minimum that you should do, but as a responsible
senior IT manager you should constantly review and upgrade your
security. There are many organizations you can join and become part of
to help keep your security knowledge up-to-date. These organizations
include the FBI, Department of Homeland Security, InfraGard and FS-ISAC
for financial institutions.

Ron
Dinwiddie’s 42-year career in IT has spanned most areas of IT in a
wide-ranging variety of industries. Ron started his IT career in the
United States Navy working with mainframes as an operator, moving into
programming, networking, system administration and security before
retiring after 22 years on active duty.

After the Navy Ron
became a Unix instructor and consultant before moving into his first CIO
role with a financial institution. Ron continued to expand his area of
influence by moving to other financial institutions requiring his
expertise in rebuilding their IT infrastructure and restructuring the IT
services to provide the highest quality of service to end users. Ron
also developed and updated Information Security policies and procedures
so they complied with regulatory compliance standards.